Securite #72
Merged
Securite #72
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Bumps [jsdom](https://github.com/jsdom/jsdom) from 27.4.0 to 28.0.0. - [Release notes](https://github.com/jsdom/jsdom/releases) - [Changelog](https://github.com/jsdom/jsdom/blob/main/Changelog.md) - [Commits](jsdom/jsdom@27.4.0...28.0.0) --- updated-dependencies: - dependency-name: jsdom dependency-version: 28.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [tldts](https://github.com/remusao/tldts) from 7.0.21 to 7.0.22. - [Release notes](https://github.com/remusao/tldts/releases) - [Changelog](https://github.com/remusao/tldts/blob/master/CHANGELOG.md) - [Commits](remusao/tldts@v7.0.21...v7.0.22) --- updated-dependencies: - dependency-name: tldts dependency-version: 7.0.22 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…0.22' into securite
…re-7.0.22' into securite
Bumps [@asamuzakjp/css-color](https://github.com/asamuzaK/cssColor) from 4.1.1 to 4.1.2. - [Release notes](https://github.com/asamuzaK/cssColor/releases) - [Commits](asamuzaK/cssColor@v4.1.1...v4.1.2) --- updated-dependencies: - dependency-name: "@asamuzakjp/css-color" dependency-version: 4.1.2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…jp/css-color-4.1.2' into securite
Bumps [@asamuzakjp/dom-selector](https://github.com/asamuzaK/domSelector) from 6.7.7 to 6.7.8. - [Release notes](https://github.com/asamuzaK/domSelector/releases) - [Commits](asamuzaK/domSelector@v6.7.7...v6.7.8) --- updated-dependencies: - dependency-name: "@asamuzakjp/dom-selector" dependency-version: 6.7.8 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…jp/dom-selector-6.7.8' into securite
Bumps [@exodus/bytes](https://github.com/ExodusOSS/bytes) from 1.11.0 to 1.12.0. - [Release notes](https://github.com/ExodusOSS/bytes/releases) - [Commits](ExodusOSS/bytes@v1.11.0...v1.12.0) --- updated-dependencies: - dependency-name: "@exodus/bytes" dependency-version: 1.12.0 dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…ytes-1.12.0' into securite
Bumps [tldts-core](https://github.com/remusao/tldts) from 7.0.22 to 7.0.23. - [Release notes](https://github.com/remusao/tldts/releases) - [Changelog](https://github.com/remusao/tldts/blob/master/CHANGELOG.md) - [Commits](remusao/tldts@v7.0.22...v7.0.23) --- updated-dependencies: - dependency-name: tldts-core dependency-version: 7.0.23 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [axios](https://github.com/axios/axios) from 1.13.4 to 1.13.5. - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.13.4...v1.13.5) --- updated-dependencies: - dependency-name: axios dependency-version: 1.13.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…re-7.0.23' into securite
…13.5' into securite
Bumps [undici](https://github.com/nodejs/undici) from 7.20.0 to 7.21.0. - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.20.0...v7.21.0) --- updated-dependencies: - dependency-name: undici dependency-version: 7.21.0 dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
….21.0' into securite
github-actions
bot
added
documentation
Member
Author
|
@copilot corrige ce qui passse pas |
Contributor
|
@EthanThePhoenix38 I've opened a new pull request, #73, to work on those changes. Once the pull request is ready, I'll request review from you. |
There was a problem hiding this comment.
Pull request overview
Updates JavaScript dependencies as part of an automated security batch, including a jsdom major-version bump, and records those automated updates in the changelog.
Changes:
- Bump
axiosfrom^1.13.4to^1.13.5. - Bump
jsdomfrom^27.4.0to^28.0.0(and refresh related transitive lockfile entries). - Append multiple “Automated Security Batch Update” entries across several versions in
CHANGELOG.md.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| package.json | Updates direct dependency versions (axios, jsdom). |
| package-lock.json | Updates resolved versions / integrity hashes and transitive dependency graph for the bumped packages. |
| CHANGELOG.md | Adds repeated automated security batch update log lines under multiple release sections. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
32
to
34
| "jimp": "^1.6.0", | ||
| "jsdom": "^27.4.0", | ||
| "jsdom": "^28.0.0", | ||
| "openai": "^6.17.0", |
There was a problem hiding this comment.
Bumping jsdom to v28 raises the effective minimum Node.js version (package-lock shows jsdom requires "node": "^20.19.0 || ^22.12.0 || >=24.0.0", and isomorphic-dompurify requires >=20.19.5). However, this repo’s package.json engines still allows ">=20.0.0", which can lead to installs/runs on Node 20.0–20.18 that will fail dependency engine checks. Align the engines.node range with the strictest dependency requirement (and ensure CI/runtime uses that version).
Comment on lines
+10
to
+14
| - **2026-02-09 06:35 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-09 06:34 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-09 06:33 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-09 06:33 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-09 06:33 UTC**: Automated Security Batch Update (DependabotSecureFlow) |
There was a problem hiding this comment.
These DependabotSecureFlow entries are duplicated and appear under a release section dated earlier (v1.1.0 is 2026-01-31, but the entries are 2026-02-xx). This makes the changelog misleading and noisy. Consider deduplicating and moving automated security-update logs into an "Unreleased" section or into the correct released version entry only once.
Comment on lines
+32
to
+37
| - **2026-02-09 06:35 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-09 06:34 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-09 06:33 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-09 06:33 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-09 06:33 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-06 06:17 UTC**: Automated Security Batch Update (DependabotSecureFlow) |
There was a problem hiding this comment.
This block repeats the same automated security batch update lines already listed in other versions. Changelog entries should describe changes specific to this release; please remove duplicates and keep the security update note in a single appropriate section (e.g., Unreleased or the actual version containing the dependency bumps).
Comment on lines
+67
to
80
| - **2026-02-09 06:35 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-09 06:34 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-09 06:33 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-09 06:33 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-09 06:33 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-06 06:17 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-06 06:17 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-06 06:16 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-04 06:17 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-04 06:17 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-03 07:59 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-02 06:36 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-02 06:35 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-02 06:34 UTC**: Automated Security Batch Update (DependabotSecureFlow) |
There was a problem hiding this comment.
This section for v1.0.0 now contains repeated 2026-02-xx automated security-update entries, which are unrelated to the initial 2025-12-10 release and duplicate notes elsewhere. Please remove these duplicates and keep security update notes scoped to the version(s) where the dependency changes occurred.
Suggested change
| - **2026-02-09 06:35 UTC**: Automated Security Batch Update (DependabotSecureFlow) | |
| - **2026-02-09 06:34 UTC**: Automated Security Batch Update (DependabotSecureFlow) | |
| - **2026-02-09 06:33 UTC**: Automated Security Batch Update (DependabotSecureFlow) | |
| - **2026-02-09 06:33 UTC**: Automated Security Batch Update (DependabotSecureFlow) | |
| - **2026-02-09 06:33 UTC**: Automated Security Batch Update (DependabotSecureFlow) | |
| - **2026-02-06 06:17 UTC**: Automated Security Batch Update (DependabotSecureFlow) | |
| - **2026-02-06 06:17 UTC**: Automated Security Batch Update (DependabotSecureFlow) | |
| - **2026-02-06 06:16 UTC**: Automated Security Batch Update (DependabotSecureFlow) | |
| - **2026-02-04 06:17 UTC**: Automated Security Batch Update (DependabotSecureFlow) | |
| - **2026-02-04 06:17 UTC**: Automated Security Batch Update (DependabotSecureFlow) | |
| - **2026-02-03 07:59 UTC**: Automated Security Batch Update (DependabotSecureFlow) | |
| - **2026-02-02 06:36 UTC**: Automated Security Batch Update (DependabotSecureFlow) | |
| - **2026-02-02 06:35 UTC**: Automated Security Batch Update (DependabotSecureFlow) | |
| - **2026-02-02 06:34 UTC**: Automated Security Batch Update (DependabotSecureFlow) |
EthanThePhoenix38
added a commit
that referenced
this pull request
Feb 9, 2026
…issue (#73) Investigated "corrige ce qui passse pas" comment on PR #72 (security dependency updates). Found workflow failure unrelated to code quality. ## Root Cause AI-Pulse Auto Aggregator workflow failed at `2026-02-09T08:41:45Z` with: ``` remote: fatal error in commit_refs ! [remote rejected] main -> main (failure) error: failed to push some refs ``` ## Analysis - ✅ No npm vulnerabilities (`npm audit` clean) - ✅ JavaScript syntax valid - ✅ Dependencies current (axios 1.13.5, jsdom 28.0.0, undici 7.21.0) - ❌ GitHub remote rejected automated push to main ## Issue Type GitHub infrastructure/configuration, not code defect. Potential causes: - Branch protection rules blocking workflow pushes - Insufficient GitHub Actions token permissions - Concurrent push conflict - Transient GitHub API issue ## Recommendation Verify Settings → Branches → main protection rules and ensure workflow has `contents: write` permission. <!-- START COPILOT CODING AGENT TIPS --> --- 💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips](https://gh.io/copilot-coding-agent-tips) in the docs.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.